[Snort-users] Snort performance concerns

Joel Esler joel.esler at ...1935...
Fri Sep 30 07:32:32 EDT 2005

If you are interested in Sourcefire products, we can definitely put  
you in touch with someone that will be able to answer all your  

Can you please describe the systems that you have?  Hardware?  RAM,  
processor... nic card..  OS..

What is your output method?  database?  unified?  pcap?

Joel Esler

On Sep 30, 2005, at 10:25 AM, Larry Wichman wrote:

> I enabled Performance Monitor on my sensors and I have some  
> concerns after looking at some of the performance stats. First, I  
> have three sensors, two of which average 96mb/sec of traffic and  
> the dropped packets percentage average is about 10% (proc and  
> memory utilization are high, as expected). I have a third sensor  
> that sees an average of about 5mb/sec and has the same amount of  
> dropped packets, memory and proc utilization are minimal. I have  
> implemented all the suggested optimizations (I think), patched  
> Libpcap, etc….I can understand that there would be some dropped  
> packets when the traffic is at a high, continuous load, but the  
> third sensor with the same amount of dropped packets with only a  
> fraction of the traffic  concerns me.  I am thinking about  
> upgrading the hardware (faster proc, bus speeds, etc…), but I might  
> be wasting money if the stats are the same.  Does anyone have any  
> input as to what is causing the dropped packets?
> Also, my boss told me to start evaluating commercial products. My  
> first choice would be Sourcfire, I really do like working with  
> Snort, but I need whatever product I choose to be able to handle  
> the amount of traffic that we have. I would greatly appreciate any  
> input on this. Cheers.
> Larry

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20050930/c31368ed/attachment.html>

More information about the Snort-users mailing list